Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
Willem Toorop <willem@nlnetlabs.nl> Thu, 20 July 2017 09:48 UTC
Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7348213170E for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 02:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.002
X-Spam-Level:
X-Spam-Status: No, score=-7.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mrdDsVeAgJkA for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 02:48:56 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1C7613157A for <dnsop@ietf.org>; Thu, 20 Jul 2017 02:48:53 -0700 (PDT)
Received: from [IPv6:2001:67c:370:128:386d:ca0b:2cef:6352] (unknown [IPv6:2001:67c:370:128:386d:ca0b:2cef:6352]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id EC0F3B06E for <dnsop@ietf.org>; Thu, 20 Jul 2017 11:48:51 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1500544132; bh=CVw+hhO3lzDS+VW7wHtsaLsa8s4QfMK0SHJAde+wrTs=; h=Subject:To:References:From:Date:In-Reply-To; b=wBc9RVZ7/CFJjUtXkWSfs2WkYA7YertjjHvXQ8bTKjmwoaY2SRWIU3rhmuKgKyBgt /xoSDSB1vJRBzEex0pdntTiabIUUrcuXlSU0lBkgCZh5Mk/p/xtofdAeGJ0ggzIRsU QZTd2krxhIWs4lsfACixG53Jlud0rY5nGTicyFRg=
To: dnsop@ietf.org
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CAN6NTqwi62xGtLnjNtV-CDCBKBV1TVEsCjbGUvtf_nxmcZEapw@mail.gmail.com> <CAHPuVdWisdPS3ezBsGSyX7Uh7Yw3HHcTaHHz3y9xA+Fow7G4Yw@mail.gmail.com> <CAN6NTqwB8b1aFsZg=LnaLWLrhLDe9-N3CVPO=qcHWXZTqSettg@mail.gmail.com> <CAHPuVdVGn0p9g5c-kXwmy_N2WtrGxDhcEG2mkxWyvh5XVTcMoQ@mail.gmail.com>
From: Willem Toorop <willem@nlnetlabs.nl>
Message-ID: <257a0f7a-a78d-d665-512f-ff2a71dfaede@nlnetlabs.nl>
Date: Thu, 20 Jul 2017 11:48:51 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CAHPuVdVGn0p9g5c-kXwmy_N2WtrGxDhcEG2mkxWyvh5XVTcMoQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pEMEM2xmtI-5aq_4074E8j-uQ1M>
Subject: Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 09:48:58 -0000
Op 20-07-17 om 10:45 schreef Shumon Huque: > On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson > <olafur@cloudflare.com <mailto:olafur@cloudflare.com>> wrote: > > > I disagree, if a zone operator selects "less-than" common algorithm > they do that at their own risk, > if the risk is not acceptable then it should dual sign.... > > > Yes. The point I was trying to make is that DANE sites (and probably > others if they care about security) cannot afford to fail open. So they > have to dual sign if they can stomach the costs, or delay deploying new > algorithms for a long time. This draft is intended to (eventually) make > the dual signing case easier to deal with operationally. So, Providers of DANE backed services are stuck on the well-known algorithms, and do not have insight on algorithm support by clients verifying these services with DANE. This draft in combination with double signing, provides the means to deal with this (and in a secure manner too). I think this is an important motivation of this work and that this should be reflected in the Introduction section of the draft. -- Willem > > -- > Shumon Huque > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] New draft: Algorithm Negotiation in DNSSEC Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Bob Harold
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Michael H. Warfield
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Paul Wouters
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Mark Andrews
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Paul Wouters
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ted Lemon
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Stephane Bortzmeyer
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Stephane Bortzmeyer
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Willem Toorop
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- [DNSOP] The DNSSEC club and surprises (was Re: Ne… Andrew Sullivan
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Tony Finch
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Warren Kumari
- Re: [DNSOP] The DNSSEC club and surprises (was Re… George Michaelson
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Warren Kumari
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Peter van Dijk